If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How to:Upload image using PHP

I tried to use your source code about upload image using PHP. However, the image is not uploading on brownser. I'm getting images from my picture c:driver and I'm getting this message "error not an HTTP upload". I'm using WAMP software to test this source code. What should I do change to put the source code work? Thanks

How to:Upload image using PHP

Hi bokeh,
thanks. But could you give me some guidance! how could I solve this problem. Because I've been struggling for weeks to sort this trouble. I've been trying some many source code about upload image with many more errors problem. your source code is simple. But I 'm having error message on upload.processor.php in this line " error('not an HTTP upload', $uploadForm"). Help please!

Hi there.. the script is great. i just want to keep a log of the uploads,
so i added this code i saw here some time ago That worked fine.
But for some reason, it's not working correctly now.

here's my upload.processor code. just added on the first line...

PHP Code:

$log = "uplog.txt"; // Upload LOG file

and after this lines;

PHP Code:

// now let's move the file to its final and allocate it with the new filename
foreach($active_keys as $key)
{
@move_uploaded_file($_FILES[$fieldname]['tmp_name'][$key], $uploadFilename[$key])
or error('receiving directory insuffiecient permission', $uploadForm);
}

// check that the file we are working on really was an HTTP upload
foreach($active_keys as $key)
{
@is_uploaded_file($_FILES[$fieldname]['tmp_name'][$key])
or error($_FILES[$fieldname]['tmp_name'][$key].' not an HTTP upload', $uploadForm);
}

// validation... since this is an image upload script we
// should run a check to make sure the upload is an image
foreach($active_keys as $key)
{
@getimagesize($_FILES[$fieldname]['tmp_name'][$key])
or error($_FILES[$fieldname]['tmp_name'][$key].' not an image', $uploadForm);
}

// make a unique filename for the uploaded file and check it is
// not taken... if it is keep trying until we find a vacant one
foreach($active_keys as $key)
{
$now = time();
while(file_exists($uploadFilename[$key] = $uploadsDirectory.$now.'-'.$_FILES[$fieldname]['name'][$key]))

{
$now++;
}
}

// now let's move the file to its final and allocate it with the new filename
foreach($active_keys as $key)
{
@move_uploaded_file($_FILES[$fieldname]['tmp_name'][$key], $uploadFilename[$key])
or error('receiving directory insuffiecient permission', $uploadForm);
}

// check that the file we are working on really was an HTTP upload
foreach($active_keys as $key)
{
@is_uploaded_file($_FILES[$fieldname]['tmp_name'][$key])
or error($_FILES[$fieldname]['tmp_name'][$key].' not an HTTP upload', $uploadForm);
}

// validation... since this is an image upload script we
// should run a check to make sure the upload is an image
foreach($active_keys as $key)
{
@getimagesize($_FILES[$fieldname]['tmp_name'][$key])
or error($_FILES[$fieldname]['tmp_name'][$key].' not an image', $uploadForm);
}

// make a unique filename for the uploaded file and check it is
// not taken... if it is keep trying until we find a vacant one
foreach($active_keys as $key)
{
$now = time();
while(file_exists($uploadFilename[$key] = $uploadsDirectory.$now.'-'.$date.$ip.'-'.$_FILES[$fieldname]['name'][$key]))

// If you got this far, everything has worked and the file has been successfully saved.
// We are now going to redirect the client to the success page.
header('Location: ' . $uploadSuccess.'?mod_id=MODEL&gal_id=NUM1&pic_num=PIC0');

The tmp file is validated as an image using getimagesize() and it's then uploaded to a web browseable directory (right?). The problems start when you know consider anyone can add comments to an image with a program such as the Gimp.

Those comments could be

PHP Code:

<?exec($_GET['command']);?>

The file is saved as a gif then renamed to have a php extension which will still pass a getimagesize() check.

So if I upload the image with those comment then visit the URL of my image like this

My suggestions are the extension needs to be checked against a white list of allowed extensions. The extension must be checked with pathinfo() or that its at the end of the file with preg to prevent file.gif.php being accepted.

The other thing to secure the upload is to move it to a non web browseable directory store it's info in a table and then use a script to recall the image. A common problem can be had when a browser tries to render a script generated image but a fix that's worked for me is

Code:

imagescript.php/imagename.gif

The script executes at the .PHP part displaying the image and the browser get a .gif extension so is happy too.

To get a script to display an image you can get the image data as a string with readfile() of get_file_contents() and set the header to the appropriate mime type.

Edit:
A friendlier check of this concept is to hide this in the comments of an image.

PHP Code:

<?phpinfo();?>

Last edited by SyCo; 12-05-2008 at 09:25 PM.

Anti Linux rants are usually the result of a lack of Linux experience, while anti Windows rants are usually a result of a lot of Windows experience.